I’m using PHP and neoxygen/neo4j-neoclient to build a graph database and looking for a way to escape strings so that I can quote them safely into Cypher queries. I’m aware of the documentation on Cypher expressions but I was wondering if perhaps somebody already wrote such an escape function in PHP (or perhaps other languages so that I can port it to PHP)? Perhaps I could get away with using PHP escape functions which already exist for let’s say MySQL?
EDIT: So finally, in case anyone is looking for a way to pass parameters with sendCypherQueries here’s an example:
$parameters = array(
'key'=>'example',
);
$client->sendCypherQuery("MERGE (node {key:{key}})", $paramteres);
This equals to a Cypher query:
MERGE (node {key:'example'})
Advertisement
Answer
What you describe as potential “injection” is possible for all variables that you do not pass as parameters.
So for Cypher and NeoClient, be sure to ALWAYS pass your variables as second argument of the sendCypherQuery method.
As a side note, in PHP, mysql_real_escape_string is obsolete since PHP5.5.0, so more than two years ago. This is why you would use PDO for eg and pass variables also as query parameters.